# Static code analysis workflow with CodeQL

name: "🔮 CI CodeQL Scan"

on:
  push:
    branches: [ master ]
    paths:
    - '.github/**/*codeql*.yml'
    - 'Apps/**'
    - 'Modules/**'
    - 'Externals/**'
    - 'Tests/**'
    - 'CMake/**'
    - 'CMakeLists.txt'
    - 'CMakePresets.json'
  pull_request:
    branches: [ master ]
    paths:
    - '.github/**/*codeql*.yml'
    - 'Apps/**'
    - 'Modules/**'
    - 'Externals/**'
    - 'Tests/**'
    - 'CMake/**'
    - 'CMakeLists.txt'
    - 'CMakePresets.json'
  schedule:
    - cron: '20 23 * * 3' # Scheduled workflow will not run in GitHub forks by default

jobs:
  analyze:
    name: ${{ matrix.name }}
    if: ${{ github.repository == 'MethanePowered/MethaneKit' }}

    strategy:
      fail-fast: false
      matrix:
        include:
          # FIXME: Windows CodeQL analysis is DISABLED because it fails with compiler "error C1060: compiler is out of heap space"
          #- os: windows-latest
          #  name: "Win64_DX_CodeQL-Scan"
          #  config_preset: "VS2022-Win64-DX-Scan"
          #  build_preset: "VS2022-Win64-DX-Scan"

          - os: ubuntu-latest
            name: "Ubuntu_VK_CodeQL-Scan"
            config_preset: "Make-Lin-VK-Scan"
            build_preset: "Make-Lin-VK-Scan"

          - os: macos-latest
            name: "MacOS_MTL_CodeQL-Scan"
            config_preset: "Xcode-Mac-MTL-Scan"
            build_preset: "Xcode-Mac-MTL-Scan"

    runs-on: ${{ matrix.os }}

    env:
      NAME: CodeQL-${{ matrix.os }}

    steps:

    - name: Install Linux prerequisites
      if: ${{ matrix.os == 'ubuntu-latest' }}
      run: |
        sudo apt update
        sudo apt install xcb libx11-dev libx11-xcb-dev libxcb-sync-dev libxcb-randr0-dev

    - name: Checkout repository
      uses: actions/checkout@v3

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: cpp
        config-file: ./.github/codeql/codeql-config.yml

    - name: Initialize Externals Cache
      id: cache-externals
      uses: actions/cache@v3
      env:
        cache-name: cache-externals
      with:
        path: Build/Output/ExternalsCache
        key: ExternalsCache-${{ matrix.config_preset }}-${{ hashFiles('Externals/*.cmake') }}

    - name: CMake Configure Preset ${{ matrix.config_preset }}
      run: cmake --preset ${{ matrix.config_preset }} -DMETHANE_CODE_COVERAGE_ENABLED:BOOL=OFF -DMETHANE_TESTS_BUILD_ENABLED:BOOL=OFF

    - name: CMake Build Preset ${{ matrix.build_preset }}
      run: cmake --build --preset ${{ matrix.build_preset }} --parallel 4

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
      with:
        upload: false
        output: results

    - name: Filter CodeQL Results
      uses: MethanePowered/FilterSarif@master
      with:
        patterns: |
          -Build/Output/**
          -Externals/**
          -Tests/**
        input: results/cpp.sarif
        output: results/cpp-filtered.sarif

    - name: Upload Filtered CodeQL Results
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: results/cpp-filtered.sarif
